Malware Analysis Report

2024-11-15 09:49

Sample ID 241110-bz9bcawhre
Target 58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166N
SHA256 58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166
Tags
discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166

Threat Level: Likely malicious

The file 58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166N was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence

Boot or Logon Autostart Execution: Active Setup

Executes dropped EXE

Deletes itself

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:36

Reported

2024-11-10 01:38

Platform

win7-20240903-en

Max time kernel

119s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166N.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D70C1F17-9054-467a-ACAC-1BC143080616}\stubpath = "C:\\Windows\\{D70C1F17-9054-467a-ACAC-1BC143080616}.exe" C:\Windows\{D73B2C0B-F66E-47c3-82B4-2E653DF222B9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C4D9B70-8AE8-4f0e-AEFF-B1F1E4CB9943}\stubpath = "C:\\Windows\\{3C4D9B70-8AE8-4f0e-AEFF-B1F1E4CB9943}.exe" C:\Windows\{479CA86F-8B12-43d1-A7B4-BFB53A48BC00}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D73B2C0B-F66E-47c3-82B4-2E653DF222B9} C:\Windows\{3C4D9B70-8AE8-4f0e-AEFF-B1F1E4CB9943}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AB369FE-4C0A-49dc-A3E3-2FF00D4B34C5}\stubpath = "C:\\Windows\\{3AB369FE-4C0A-49dc-A3E3-2FF00D4B34C5}.exe" C:\Windows\{1A6A086F-D2C6-4b6f-B23B-3C47246B1EDC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68DB6BF4-9837-4d56-9B9A-A5860860D0BB} C:\Windows\{3AB369FE-4C0A-49dc-A3E3-2FF00D4B34C5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68DB6BF4-9837-4d56-9B9A-A5860860D0BB}\stubpath = "C:\\Windows\\{68DB6BF4-9837-4d56-9B9A-A5860860D0BB}.exe" C:\Windows\{3AB369FE-4C0A-49dc-A3E3-2FF00D4B34C5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97D3BF4B-E464-481c-A4B2-00FB86E49A5F} C:\Windows\{68DB6BF4-9837-4d56-9B9A-A5860860D0BB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{479CA86F-8B12-43d1-A7B4-BFB53A48BC00}\stubpath = "C:\\Windows\\{479CA86F-8B12-43d1-A7B4-BFB53A48BC00}.exe" C:\Windows\{97D3BF4B-E464-481c-A4B2-00FB86E49A5F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D70C1F17-9054-467a-ACAC-1BC143080616} C:\Windows\{D73B2C0B-F66E-47c3-82B4-2E653DF222B9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68FF437E-50B5-4897-8273-98522A27F886} C:\Users\Admin\AppData\Local\Temp\58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68FF437E-50B5-4897-8273-98522A27F886}\stubpath = "C:\\Windows\\{68FF437E-50B5-4897-8273-98522A27F886}.exe" C:\Users\Admin\AppData\Local\Temp\58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C4D9B70-8AE8-4f0e-AEFF-B1F1E4CB9943} C:\Windows\{479CA86F-8B12-43d1-A7B4-BFB53A48BC00}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D73B2C0B-F66E-47c3-82B4-2E653DF222B9}\stubpath = "C:\\Windows\\{D73B2C0B-F66E-47c3-82B4-2E653DF222B9}.exe" C:\Windows\{3C4D9B70-8AE8-4f0e-AEFF-B1F1E4CB9943}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AB369FE-4C0A-49dc-A3E3-2FF00D4B34C5} C:\Windows\{1A6A086F-D2C6-4b6f-B23B-3C47246B1EDC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{479CA86F-8B12-43d1-A7B4-BFB53A48BC00} C:\Windows\{97D3BF4B-E464-481c-A4B2-00FB86E49A5F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97D3BF4B-E464-481c-A4B2-00FB86E49A5F}\stubpath = "C:\\Windows\\{97D3BF4B-E464-481c-A4B2-00FB86E49A5F}.exe" C:\Windows\{68DB6BF4-9837-4d56-9B9A-A5860860D0BB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A6A086F-D2C6-4b6f-B23B-3C47246B1EDC} C:\Windows\{68FF437E-50B5-4897-8273-98522A27F886}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A6A086F-D2C6-4b6f-B23B-3C47246B1EDC}\stubpath = "C:\\Windows\\{1A6A086F-D2C6-4b6f-B23B-3C47246B1EDC}.exe" C:\Windows\{68FF437E-50B5-4897-8273-98522A27F886}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{1A6A086F-D2C6-4b6f-B23B-3C47246B1EDC}.exe C:\Windows\{68FF437E-50B5-4897-8273-98522A27F886}.exe N/A
File created C:\Windows\{97D3BF4B-E464-481c-A4B2-00FB86E49A5F}.exe C:\Windows\{68DB6BF4-9837-4d56-9B9A-A5860860D0BB}.exe N/A
File created C:\Windows\{68FF437E-50B5-4897-8273-98522A27F886}.exe C:\Users\Admin\AppData\Local\Temp\58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166N.exe N/A
File created C:\Windows\{3AB369FE-4C0A-49dc-A3E3-2FF00D4B34C5}.exe C:\Windows\{1A6A086F-D2C6-4b6f-B23B-3C47246B1EDC}.exe N/A
File created C:\Windows\{68DB6BF4-9837-4d56-9B9A-A5860860D0BB}.exe C:\Windows\{3AB369FE-4C0A-49dc-A3E3-2FF00D4B34C5}.exe N/A
File created C:\Windows\{479CA86F-8B12-43d1-A7B4-BFB53A48BC00}.exe C:\Windows\{97D3BF4B-E464-481c-A4B2-00FB86E49A5F}.exe N/A
File created C:\Windows\{3C4D9B70-8AE8-4f0e-AEFF-B1F1E4CB9943}.exe C:\Windows\{479CA86F-8B12-43d1-A7B4-BFB53A48BC00}.exe N/A
File created C:\Windows\{D73B2C0B-F66E-47c3-82B4-2E653DF222B9}.exe C:\Windows\{3C4D9B70-8AE8-4f0e-AEFF-B1F1E4CB9943}.exe N/A
File created C:\Windows\{D70C1F17-9054-467a-ACAC-1BC143080616}.exe C:\Windows\{D73B2C0B-F66E-47c3-82B4-2E653DF222B9}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{D73B2C0B-F66E-47c3-82B4-2E653DF222B9}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{68FF437E-50B5-4897-8273-98522A27F886}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{3AB369FE-4C0A-49dc-A3E3-2FF00D4B34C5}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{97D3BF4B-E464-481c-A4B2-00FB86E49A5F}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{1A6A086F-D2C6-4b6f-B23B-3C47246B1EDC}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{68DB6BF4-9837-4d56-9B9A-A5860860D0BB}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{479CA86F-8B12-43d1-A7B4-BFB53A48BC00}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{3C4D9B70-8AE8-4f0e-AEFF-B1F1E4CB9943}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{D70C1F17-9054-467a-ACAC-1BC143080616}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166N.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{68FF437E-50B5-4897-8273-98522A27F886}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1A6A086F-D2C6-4b6f-B23B-3C47246B1EDC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3AB369FE-4C0A-49dc-A3E3-2FF00D4B34C5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{68DB6BF4-9837-4d56-9B9A-A5860860D0BB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{97D3BF4B-E464-481c-A4B2-00FB86E49A5F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{479CA86F-8B12-43d1-A7B4-BFB53A48BC00}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3C4D9B70-8AE8-4f0e-AEFF-B1F1E4CB9943}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D73B2C0B-F66E-47c3-82B4-2E653DF222B9}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1708 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166N.exe C:\Windows\{68FF437E-50B5-4897-8273-98522A27F886}.exe
PID 1708 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166N.exe C:\Windows\{68FF437E-50B5-4897-8273-98522A27F886}.exe
PID 1708 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166N.exe C:\Windows\{68FF437E-50B5-4897-8273-98522A27F886}.exe
PID 1708 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166N.exe C:\Windows\{68FF437E-50B5-4897-8273-98522A27F886}.exe
PID 1708 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166N.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166N.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166N.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166N.exe C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 2680 N/A C:\Windows\{68FF437E-50B5-4897-8273-98522A27F886}.exe C:\Windows\{1A6A086F-D2C6-4b6f-B23B-3C47246B1EDC}.exe
PID 2320 wrote to memory of 2680 N/A C:\Windows\{68FF437E-50B5-4897-8273-98522A27F886}.exe C:\Windows\{1A6A086F-D2C6-4b6f-B23B-3C47246B1EDC}.exe
PID 2320 wrote to memory of 2680 N/A C:\Windows\{68FF437E-50B5-4897-8273-98522A27F886}.exe C:\Windows\{1A6A086F-D2C6-4b6f-B23B-3C47246B1EDC}.exe
PID 2320 wrote to memory of 2680 N/A C:\Windows\{68FF437E-50B5-4897-8273-98522A27F886}.exe C:\Windows\{1A6A086F-D2C6-4b6f-B23B-3C47246B1EDC}.exe
PID 2320 wrote to memory of 2824 N/A C:\Windows\{68FF437E-50B5-4897-8273-98522A27F886}.exe C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 2824 N/A C:\Windows\{68FF437E-50B5-4897-8273-98522A27F886}.exe C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 2824 N/A C:\Windows\{68FF437E-50B5-4897-8273-98522A27F886}.exe C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 2824 N/A C:\Windows\{68FF437E-50B5-4897-8273-98522A27F886}.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2804 N/A C:\Windows\{1A6A086F-D2C6-4b6f-B23B-3C47246B1EDC}.exe C:\Windows\{3AB369FE-4C0A-49dc-A3E3-2FF00D4B34C5}.exe
PID 2680 wrote to memory of 2804 N/A C:\Windows\{1A6A086F-D2C6-4b6f-B23B-3C47246B1EDC}.exe C:\Windows\{3AB369FE-4C0A-49dc-A3E3-2FF00D4B34C5}.exe
PID 2680 wrote to memory of 2804 N/A C:\Windows\{1A6A086F-D2C6-4b6f-B23B-3C47246B1EDC}.exe C:\Windows\{3AB369FE-4C0A-49dc-A3E3-2FF00D4B34C5}.exe
PID 2680 wrote to memory of 2804 N/A C:\Windows\{1A6A086F-D2C6-4b6f-B23B-3C47246B1EDC}.exe C:\Windows\{3AB369FE-4C0A-49dc-A3E3-2FF00D4B34C5}.exe
PID 2680 wrote to memory of 2964 N/A C:\Windows\{1A6A086F-D2C6-4b6f-B23B-3C47246B1EDC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2964 N/A C:\Windows\{1A6A086F-D2C6-4b6f-B23B-3C47246B1EDC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2964 N/A C:\Windows\{1A6A086F-D2C6-4b6f-B23B-3C47246B1EDC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2964 N/A C:\Windows\{1A6A086F-D2C6-4b6f-B23B-3C47246B1EDC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2712 N/A C:\Windows\{3AB369FE-4C0A-49dc-A3E3-2FF00D4B34C5}.exe C:\Windows\{68DB6BF4-9837-4d56-9B9A-A5860860D0BB}.exe
PID 2804 wrote to memory of 2712 N/A C:\Windows\{3AB369FE-4C0A-49dc-A3E3-2FF00D4B34C5}.exe C:\Windows\{68DB6BF4-9837-4d56-9B9A-A5860860D0BB}.exe
PID 2804 wrote to memory of 2712 N/A C:\Windows\{3AB369FE-4C0A-49dc-A3E3-2FF00D4B34C5}.exe C:\Windows\{68DB6BF4-9837-4d56-9B9A-A5860860D0BB}.exe
PID 2804 wrote to memory of 2712 N/A C:\Windows\{3AB369FE-4C0A-49dc-A3E3-2FF00D4B34C5}.exe C:\Windows\{68DB6BF4-9837-4d56-9B9A-A5860860D0BB}.exe
PID 2804 wrote to memory of 2624 N/A C:\Windows\{3AB369FE-4C0A-49dc-A3E3-2FF00D4B34C5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2624 N/A C:\Windows\{3AB369FE-4C0A-49dc-A3E3-2FF00D4B34C5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2624 N/A C:\Windows\{3AB369FE-4C0A-49dc-A3E3-2FF00D4B34C5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2624 N/A C:\Windows\{3AB369FE-4C0A-49dc-A3E3-2FF00D4B34C5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 3044 N/A C:\Windows\{68DB6BF4-9837-4d56-9B9A-A5860860D0BB}.exe C:\Windows\{97D3BF4B-E464-481c-A4B2-00FB86E49A5F}.exe
PID 2712 wrote to memory of 3044 N/A C:\Windows\{68DB6BF4-9837-4d56-9B9A-A5860860D0BB}.exe C:\Windows\{97D3BF4B-E464-481c-A4B2-00FB86E49A5F}.exe
PID 2712 wrote to memory of 3044 N/A C:\Windows\{68DB6BF4-9837-4d56-9B9A-A5860860D0BB}.exe C:\Windows\{97D3BF4B-E464-481c-A4B2-00FB86E49A5F}.exe
PID 2712 wrote to memory of 3044 N/A C:\Windows\{68DB6BF4-9837-4d56-9B9A-A5860860D0BB}.exe C:\Windows\{97D3BF4B-E464-481c-A4B2-00FB86E49A5F}.exe
PID 2712 wrote to memory of 3052 N/A C:\Windows\{68DB6BF4-9837-4d56-9B9A-A5860860D0BB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 3052 N/A C:\Windows\{68DB6BF4-9837-4d56-9B9A-A5860860D0BB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 3052 N/A C:\Windows\{68DB6BF4-9837-4d56-9B9A-A5860860D0BB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 3052 N/A C:\Windows\{68DB6BF4-9837-4d56-9B9A-A5860860D0BB}.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2776 N/A C:\Windows\{97D3BF4B-E464-481c-A4B2-00FB86E49A5F}.exe C:\Windows\{479CA86F-8B12-43d1-A7B4-BFB53A48BC00}.exe
PID 3044 wrote to memory of 2776 N/A C:\Windows\{97D3BF4B-E464-481c-A4B2-00FB86E49A5F}.exe C:\Windows\{479CA86F-8B12-43d1-A7B4-BFB53A48BC00}.exe
PID 3044 wrote to memory of 2776 N/A C:\Windows\{97D3BF4B-E464-481c-A4B2-00FB86E49A5F}.exe C:\Windows\{479CA86F-8B12-43d1-A7B4-BFB53A48BC00}.exe
PID 3044 wrote to memory of 2776 N/A C:\Windows\{97D3BF4B-E464-481c-A4B2-00FB86E49A5F}.exe C:\Windows\{479CA86F-8B12-43d1-A7B4-BFB53A48BC00}.exe
PID 3044 wrote to memory of 2944 N/A C:\Windows\{97D3BF4B-E464-481c-A4B2-00FB86E49A5F}.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2944 N/A C:\Windows\{97D3BF4B-E464-481c-A4B2-00FB86E49A5F}.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2944 N/A C:\Windows\{97D3BF4B-E464-481c-A4B2-00FB86E49A5F}.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2944 N/A C:\Windows\{97D3BF4B-E464-481c-A4B2-00FB86E49A5F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 1056 N/A C:\Windows\{479CA86F-8B12-43d1-A7B4-BFB53A48BC00}.exe C:\Windows\{3C4D9B70-8AE8-4f0e-AEFF-B1F1E4CB9943}.exe
PID 2776 wrote to memory of 1056 N/A C:\Windows\{479CA86F-8B12-43d1-A7B4-BFB53A48BC00}.exe C:\Windows\{3C4D9B70-8AE8-4f0e-AEFF-B1F1E4CB9943}.exe
PID 2776 wrote to memory of 1056 N/A C:\Windows\{479CA86F-8B12-43d1-A7B4-BFB53A48BC00}.exe C:\Windows\{3C4D9B70-8AE8-4f0e-AEFF-B1F1E4CB9943}.exe
PID 2776 wrote to memory of 1056 N/A C:\Windows\{479CA86F-8B12-43d1-A7B4-BFB53A48BC00}.exe C:\Windows\{3C4D9B70-8AE8-4f0e-AEFF-B1F1E4CB9943}.exe
PID 2776 wrote to memory of 316 N/A C:\Windows\{479CA86F-8B12-43d1-A7B4-BFB53A48BC00}.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 316 N/A C:\Windows\{479CA86F-8B12-43d1-A7B4-BFB53A48BC00}.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 316 N/A C:\Windows\{479CA86F-8B12-43d1-A7B4-BFB53A48BC00}.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 316 N/A C:\Windows\{479CA86F-8B12-43d1-A7B4-BFB53A48BC00}.exe C:\Windows\SysWOW64\cmd.exe
PID 1056 wrote to memory of 1760 N/A C:\Windows\{3C4D9B70-8AE8-4f0e-AEFF-B1F1E4CB9943}.exe C:\Windows\{D73B2C0B-F66E-47c3-82B4-2E653DF222B9}.exe
PID 1056 wrote to memory of 1760 N/A C:\Windows\{3C4D9B70-8AE8-4f0e-AEFF-B1F1E4CB9943}.exe C:\Windows\{D73B2C0B-F66E-47c3-82B4-2E653DF222B9}.exe
PID 1056 wrote to memory of 1760 N/A C:\Windows\{3C4D9B70-8AE8-4f0e-AEFF-B1F1E4CB9943}.exe C:\Windows\{D73B2C0B-F66E-47c3-82B4-2E653DF222B9}.exe
PID 1056 wrote to memory of 1760 N/A C:\Windows\{3C4D9B70-8AE8-4f0e-AEFF-B1F1E4CB9943}.exe C:\Windows\{D73B2C0B-F66E-47c3-82B4-2E653DF222B9}.exe
PID 1056 wrote to memory of 2436 N/A C:\Windows\{3C4D9B70-8AE8-4f0e-AEFF-B1F1E4CB9943}.exe C:\Windows\SysWOW64\cmd.exe
PID 1056 wrote to memory of 2436 N/A C:\Windows\{3C4D9B70-8AE8-4f0e-AEFF-B1F1E4CB9943}.exe C:\Windows\SysWOW64\cmd.exe
PID 1056 wrote to memory of 2436 N/A C:\Windows\{3C4D9B70-8AE8-4f0e-AEFF-B1F1E4CB9943}.exe C:\Windows\SysWOW64\cmd.exe
PID 1056 wrote to memory of 2436 N/A C:\Windows\{3C4D9B70-8AE8-4f0e-AEFF-B1F1E4CB9943}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166N.exe

"C:\Users\Admin\AppData\Local\Temp\58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166N.exe"

C:\Windows\{68FF437E-50B5-4897-8273-98522A27F886}.exe

C:\Windows\{68FF437E-50B5-4897-8273-98522A27F886}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\58CE96~1.EXE > nul

C:\Windows\{1A6A086F-D2C6-4b6f-B23B-3C47246B1EDC}.exe

C:\Windows\{1A6A086F-D2C6-4b6f-B23B-3C47246B1EDC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{68FF4~1.EXE > nul

C:\Windows\{3AB369FE-4C0A-49dc-A3E3-2FF00D4B34C5}.exe

C:\Windows\{3AB369FE-4C0A-49dc-A3E3-2FF00D4B34C5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1A6A0~1.EXE > nul

C:\Windows\{68DB6BF4-9837-4d56-9B9A-A5860860D0BB}.exe

C:\Windows\{68DB6BF4-9837-4d56-9B9A-A5860860D0BB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3AB36~1.EXE > nul

C:\Windows\{97D3BF4B-E464-481c-A4B2-00FB86E49A5F}.exe

C:\Windows\{97D3BF4B-E464-481c-A4B2-00FB86E49A5F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{68DB6~1.EXE > nul

C:\Windows\{479CA86F-8B12-43d1-A7B4-BFB53A48BC00}.exe

C:\Windows\{479CA86F-8B12-43d1-A7B4-BFB53A48BC00}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{97D3B~1.EXE > nul

C:\Windows\{3C4D9B70-8AE8-4f0e-AEFF-B1F1E4CB9943}.exe

C:\Windows\{3C4D9B70-8AE8-4f0e-AEFF-B1F1E4CB9943}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{479CA~1.EXE > nul

C:\Windows\{D73B2C0B-F66E-47c3-82B4-2E653DF222B9}.exe

C:\Windows\{D73B2C0B-F66E-47c3-82B4-2E653DF222B9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3C4D9~1.EXE > nul

C:\Windows\{D70C1F17-9054-467a-ACAC-1BC143080616}.exe

C:\Windows\{D70C1F17-9054-467a-ACAC-1BC143080616}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D73B2~1.EXE > nul

Network

N/A

Files

C:\Windows\{68FF437E-50B5-4897-8273-98522A27F886}.exe

MD5 a5ca289426c13305c734cac848d9aab9
SHA1 5f4d12941dcf19e0883628303fc1145f7bb5e65f
SHA256 576ec2f7af5e340fa59ce38e9edb3db7b23ebb17da95e0c3e6710aef050e195a
SHA512 996663a449fdae6a5488810e873f8286e549fece0278562643010062fe86bdf8fde326366dba6ccdac801ca4474285a05c69d5e053579f31268770fafac7cd2a

C:\Windows\{1A6A086F-D2C6-4b6f-B23B-3C47246B1EDC}.exe

MD5 ea4421b7e557331c7f47a3867d6dbf41
SHA1 8a688ae41da45feb723d45524317b5c393087cc6
SHA256 c13aa22489955be77cde0504a2a4e1a805f3ee0bdd3bc97e4bdb65376abaedab
SHA512 b385238db3972db5eee9cfd7666d2c0c1aaae1aa063fb5351c7d65a1eca3ed0d5b2b23a1c159ed1dde7c5d32cf19f5d34fc2d7a2b221f8c525253ff5f8c5d64f

C:\Windows\{3AB369FE-4C0A-49dc-A3E3-2FF00D4B34C5}.exe

MD5 5104df314ee2bf5ae0db87f05f88fbf5
SHA1 626d04a9bded7a2d4131a779db4c4dd359e51f42
SHA256 bda3d9e25d377b5ae0feb960e75b56f4acb6fd326ac396d69fec38d58c7db7d9
SHA512 cb3cc35b7bcb18c42afa542db6b6f32047292d4a65060bc6163a56d2468d046ccaf86eb60d5547652788f4fa5c7a4ccf9d82d6fb633406d32e24c2ca475d2473

C:\Windows\{68DB6BF4-9837-4d56-9B9A-A5860860D0BB}.exe

MD5 542d1944e0abb99b21e9bf63ccef6d00
SHA1 5260cb3933cbd7b99c13b6c9172e0f805ddc0fb7
SHA256 be590311eb59cdeebd76f2fee4cfef2a2b12aa92e2384d09108080f041550aa0
SHA512 ddcac149a0c85ace3c2ec49fcdbeae7d434cc7c912229d2708567254251bb0371f1c88e5ae3a7fe716d7fcb11bc32957806e72d09ed7779c6448902af371eea6

C:\Windows\{97D3BF4B-E464-481c-A4B2-00FB86E49A5F}.exe

MD5 952b4bcb1dd18bca9c8cf8729e3491cf
SHA1 2984949dc5e90ca2c79a9f99f91e87b7728a4228
SHA256 1e480bd32b167fc079034e155128d3e20e2f96c1a53a52086084c1be25e05c82
SHA512 fa79b216914bbc5d8a627acf42d79357610238b328bfca12e7c0de3b8b2378f02a17876f0bb3ea8165d21bb6a441c2c55e81a0afc4fe48e5b204ded585599077

C:\Windows\{479CA86F-8B12-43d1-A7B4-BFB53A48BC00}.exe

MD5 bc2d3d87759c4984b2cb318dcfb3e804
SHA1 767878d7f4db3d70a7fee97c55f162cc2b2e8dd7
SHA256 2ab152e6c387e62ab6b0615cacde6d0b61262d20686929444f79f21906f3e958
SHA512 bd671920c79c17996ddf458ac70198d1da0de1332e566d61cacdef540eb38cb2a92dd97555037f441d6fb4633ead535820afc17029a4de835b6fd599b00708a1

C:\Windows\{3C4D9B70-8AE8-4f0e-AEFF-B1F1E4CB9943}.exe

MD5 bdb11a447f5d7cfa9913a965c55a7865
SHA1 ba7b94f1f2449836fc5a7f453e3136a445fd9c9b
SHA256 5b5bbe326462f2ba479bb14122d0121a65e61a6d049d7ba5c639dff49dd81f6b
SHA512 64670af350db5bdde01a847b0c9c6f62b7a743059dee6bbcc8ad3c77091ab59c4369393e11d312121c103e195741b6c1bbc6a50776967926d8468a2af1a41b64

C:\Windows\{D73B2C0B-F66E-47c3-82B4-2E653DF222B9}.exe

MD5 ffa828e81f54908ea108e189b1550f9f
SHA1 293362ba8f8c09985eccbab883c3cb7cb39173c0
SHA256 1afc0affcf0022352645f66a4bb44f423a4402dfdc198e5d1dce35714e64b0d6
SHA512 79e4fc52ec5fe24f0cf62d6d736c49d708041f61c1025d435c177918d70b4a6f6c659f74c78a922d97b5064bf54c7f9eb4e502f74cba44b50d9aa3b3b91847a2

C:\Windows\{D70C1F17-9054-467a-ACAC-1BC143080616}.exe

MD5 bf929c379b7b0d49a3a7e20542b156f7
SHA1 a3480de0e5fe9441ca86ff1706c490db5a4d9a57
SHA256 2c62b0d951ab33c2797c8d2831d5e0399699ba450e1308a888b340711782176c
SHA512 b10b4d74a0629867db4302fe23fa6dcbd83732ed7c8f0eda785e79236737104d062d6561efc19250176b4d548c56c5696a5ddc5c516b19ef9bb9036dcfb2db35

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:36

Reported

2024-11-10 01:38

Platform

win10v2004-20241007-en

Max time kernel

118s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166N.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E63A2BF4-5E9B-4b19-8BEF-6F0B76B9D7AC}\stubpath = "C:\\Windows\\{E63A2BF4-5E9B-4b19-8BEF-6F0B76B9D7AC}.exe" C:\Windows\{074A61F9-1C82-4fa5-BFE8-429CF5B198D1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F113B9E7-55B0-4560-8197-ED52F0088DE1} C:\Windows\{E63A2BF4-5E9B-4b19-8BEF-6F0B76B9D7AC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F113B9E7-55B0-4560-8197-ED52F0088DE1}\stubpath = "C:\\Windows\\{F113B9E7-55B0-4560-8197-ED52F0088DE1}.exe" C:\Windows\{E63A2BF4-5E9B-4b19-8BEF-6F0B76B9D7AC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6666B8D5-181F-408a-BEBF-E46106FF03B0} C:\Windows\{41D6BB83-D50F-4f78-ADCD-DE26D0ED2200}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5050B60F-B3EA-4987-98F9-09F9B0E88C41} C:\Windows\{6666B8D5-181F-408a-BEBF-E46106FF03B0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{074A61F9-1C82-4fa5-BFE8-429CF5B198D1} C:\Windows\{51E321B0-2B7F-422d-937E-C8DA6F1D70DD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E63A2BF4-5E9B-4b19-8BEF-6F0B76B9D7AC} C:\Windows\{074A61F9-1C82-4fa5-BFE8-429CF5B198D1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41D6BB83-D50F-4f78-ADCD-DE26D0ED2200} C:\Users\Admin\AppData\Local\Temp\58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5050B60F-B3EA-4987-98F9-09F9B0E88C41}\stubpath = "C:\\Windows\\{5050B60F-B3EA-4987-98F9-09F9B0E88C41}.exe" C:\Windows\{6666B8D5-181F-408a-BEBF-E46106FF03B0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51E321B0-2B7F-422d-937E-C8DA6F1D70DD} C:\Windows\{5050B60F-B3EA-4987-98F9-09F9B0E88C41}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA4B0266-296F-4d2f-8C95-0BC21F9CF6A8} C:\Windows\{AF47E449-A2A2-45d6-BB5C-2047ACF0B2FC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41D6BB83-D50F-4f78-ADCD-DE26D0ED2200}\stubpath = "C:\\Windows\\{41D6BB83-D50F-4f78-ADCD-DE26D0ED2200}.exe" C:\Users\Admin\AppData\Local\Temp\58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6666B8D5-181F-408a-BEBF-E46106FF03B0}\stubpath = "C:\\Windows\\{6666B8D5-181F-408a-BEBF-E46106FF03B0}.exe" C:\Windows\{41D6BB83-D50F-4f78-ADCD-DE26D0ED2200}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{074A61F9-1C82-4fa5-BFE8-429CF5B198D1}\stubpath = "C:\\Windows\\{074A61F9-1C82-4fa5-BFE8-429CF5B198D1}.exe" C:\Windows\{51E321B0-2B7F-422d-937E-C8DA6F1D70DD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF47E449-A2A2-45d6-BB5C-2047ACF0B2FC} C:\Windows\{F113B9E7-55B0-4560-8197-ED52F0088DE1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51E321B0-2B7F-422d-937E-C8DA6F1D70DD}\stubpath = "C:\\Windows\\{51E321B0-2B7F-422d-937E-C8DA6F1D70DD}.exe" C:\Windows\{5050B60F-B3EA-4987-98F9-09F9B0E88C41}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF47E449-A2A2-45d6-BB5C-2047ACF0B2FC}\stubpath = "C:\\Windows\\{AF47E449-A2A2-45d6-BB5C-2047ACF0B2FC}.exe" C:\Windows\{F113B9E7-55B0-4560-8197-ED52F0088DE1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA4B0266-296F-4d2f-8C95-0BC21F9CF6A8}\stubpath = "C:\\Windows\\{DA4B0266-296F-4d2f-8C95-0BC21F9CF6A8}.exe" C:\Windows\{AF47E449-A2A2-45d6-BB5C-2047ACF0B2FC}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{41D6BB83-D50F-4f78-ADCD-DE26D0ED2200}.exe C:\Users\Admin\AppData\Local\Temp\58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166N.exe N/A
File created C:\Windows\{6666B8D5-181F-408a-BEBF-E46106FF03B0}.exe C:\Windows\{41D6BB83-D50F-4f78-ADCD-DE26D0ED2200}.exe N/A
File created C:\Windows\{5050B60F-B3EA-4987-98F9-09F9B0E88C41}.exe C:\Windows\{6666B8D5-181F-408a-BEBF-E46106FF03B0}.exe N/A
File created C:\Windows\{DA4B0266-296F-4d2f-8C95-0BC21F9CF6A8}.exe C:\Windows\{AF47E449-A2A2-45d6-BB5C-2047ACF0B2FC}.exe N/A
File created C:\Windows\{51E321B0-2B7F-422d-937E-C8DA6F1D70DD}.exe C:\Windows\{5050B60F-B3EA-4987-98F9-09F9B0E88C41}.exe N/A
File created C:\Windows\{074A61F9-1C82-4fa5-BFE8-429CF5B198D1}.exe C:\Windows\{51E321B0-2B7F-422d-937E-C8DA6F1D70DD}.exe N/A
File created C:\Windows\{E63A2BF4-5E9B-4b19-8BEF-6F0B76B9D7AC}.exe C:\Windows\{074A61F9-1C82-4fa5-BFE8-429CF5B198D1}.exe N/A
File created C:\Windows\{F113B9E7-55B0-4560-8197-ED52F0088DE1}.exe C:\Windows\{E63A2BF4-5E9B-4b19-8BEF-6F0B76B9D7AC}.exe N/A
File created C:\Windows\{AF47E449-A2A2-45d6-BB5C-2047ACF0B2FC}.exe C:\Windows\{F113B9E7-55B0-4560-8197-ED52F0088DE1}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{41D6BB83-D50F-4f78-ADCD-DE26D0ED2200}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{6666B8D5-181F-408a-BEBF-E46106FF03B0}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{51E321B0-2B7F-422d-937E-C8DA6F1D70DD}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{E63A2BF4-5E9B-4b19-8BEF-6F0B76B9D7AC}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{074A61F9-1C82-4fa5-BFE8-429CF5B198D1}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{5050B60F-B3EA-4987-98F9-09F9B0E88C41}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{DA4B0266-296F-4d2f-8C95-0BC21F9CF6A8}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{AF47E449-A2A2-45d6-BB5C-2047ACF0B2FC}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{F113B9E7-55B0-4560-8197-ED52F0088DE1}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166N.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{41D6BB83-D50F-4f78-ADCD-DE26D0ED2200}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6666B8D5-181F-408a-BEBF-E46106FF03B0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5050B60F-B3EA-4987-98F9-09F9B0E88C41}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{51E321B0-2B7F-422d-937E-C8DA6F1D70DD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{074A61F9-1C82-4fa5-BFE8-429CF5B198D1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E63A2BF4-5E9B-4b19-8BEF-6F0B76B9D7AC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F113B9E7-55B0-4560-8197-ED52F0088DE1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AF47E449-A2A2-45d6-BB5C-2047ACF0B2FC}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4712 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166N.exe C:\Windows\{41D6BB83-D50F-4f78-ADCD-DE26D0ED2200}.exe
PID 4712 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166N.exe C:\Windows\{41D6BB83-D50F-4f78-ADCD-DE26D0ED2200}.exe
PID 4712 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166N.exe C:\Windows\{41D6BB83-D50F-4f78-ADCD-DE26D0ED2200}.exe
PID 4712 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166N.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166N.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166N.exe C:\Windows\SysWOW64\cmd.exe
PID 1552 wrote to memory of 5044 N/A C:\Windows\{41D6BB83-D50F-4f78-ADCD-DE26D0ED2200}.exe C:\Windows\{6666B8D5-181F-408a-BEBF-E46106FF03B0}.exe
PID 1552 wrote to memory of 5044 N/A C:\Windows\{41D6BB83-D50F-4f78-ADCD-DE26D0ED2200}.exe C:\Windows\{6666B8D5-181F-408a-BEBF-E46106FF03B0}.exe
PID 1552 wrote to memory of 5044 N/A C:\Windows\{41D6BB83-D50F-4f78-ADCD-DE26D0ED2200}.exe C:\Windows\{6666B8D5-181F-408a-BEBF-E46106FF03B0}.exe
PID 1552 wrote to memory of 1136 N/A C:\Windows\{41D6BB83-D50F-4f78-ADCD-DE26D0ED2200}.exe C:\Windows\SysWOW64\cmd.exe
PID 1552 wrote to memory of 1136 N/A C:\Windows\{41D6BB83-D50F-4f78-ADCD-DE26D0ED2200}.exe C:\Windows\SysWOW64\cmd.exe
PID 1552 wrote to memory of 1136 N/A C:\Windows\{41D6BB83-D50F-4f78-ADCD-DE26D0ED2200}.exe C:\Windows\SysWOW64\cmd.exe
PID 5044 wrote to memory of 3236 N/A C:\Windows\{6666B8D5-181F-408a-BEBF-E46106FF03B0}.exe C:\Windows\{5050B60F-B3EA-4987-98F9-09F9B0E88C41}.exe
PID 5044 wrote to memory of 3236 N/A C:\Windows\{6666B8D5-181F-408a-BEBF-E46106FF03B0}.exe C:\Windows\{5050B60F-B3EA-4987-98F9-09F9B0E88C41}.exe
PID 5044 wrote to memory of 3236 N/A C:\Windows\{6666B8D5-181F-408a-BEBF-E46106FF03B0}.exe C:\Windows\{5050B60F-B3EA-4987-98F9-09F9B0E88C41}.exe
PID 5044 wrote to memory of 4752 N/A C:\Windows\{6666B8D5-181F-408a-BEBF-E46106FF03B0}.exe C:\Windows\SysWOW64\cmd.exe
PID 5044 wrote to memory of 4752 N/A C:\Windows\{6666B8D5-181F-408a-BEBF-E46106FF03B0}.exe C:\Windows\SysWOW64\cmd.exe
PID 5044 wrote to memory of 4752 N/A C:\Windows\{6666B8D5-181F-408a-BEBF-E46106FF03B0}.exe C:\Windows\SysWOW64\cmd.exe
PID 3236 wrote to memory of 2428 N/A C:\Windows\{5050B60F-B3EA-4987-98F9-09F9B0E88C41}.exe C:\Windows\{51E321B0-2B7F-422d-937E-C8DA6F1D70DD}.exe
PID 3236 wrote to memory of 2428 N/A C:\Windows\{5050B60F-B3EA-4987-98F9-09F9B0E88C41}.exe C:\Windows\{51E321B0-2B7F-422d-937E-C8DA6F1D70DD}.exe
PID 3236 wrote to memory of 2428 N/A C:\Windows\{5050B60F-B3EA-4987-98F9-09F9B0E88C41}.exe C:\Windows\{51E321B0-2B7F-422d-937E-C8DA6F1D70DD}.exe
PID 3236 wrote to memory of 2612 N/A C:\Windows\{5050B60F-B3EA-4987-98F9-09F9B0E88C41}.exe C:\Windows\SysWOW64\cmd.exe
PID 3236 wrote to memory of 2612 N/A C:\Windows\{5050B60F-B3EA-4987-98F9-09F9B0E88C41}.exe C:\Windows\SysWOW64\cmd.exe
PID 3236 wrote to memory of 2612 N/A C:\Windows\{5050B60F-B3EA-4987-98F9-09F9B0E88C41}.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 3564 N/A C:\Windows\{51E321B0-2B7F-422d-937E-C8DA6F1D70DD}.exe C:\Windows\{074A61F9-1C82-4fa5-BFE8-429CF5B198D1}.exe
PID 2428 wrote to memory of 3564 N/A C:\Windows\{51E321B0-2B7F-422d-937E-C8DA6F1D70DD}.exe C:\Windows\{074A61F9-1C82-4fa5-BFE8-429CF5B198D1}.exe
PID 2428 wrote to memory of 3564 N/A C:\Windows\{51E321B0-2B7F-422d-937E-C8DA6F1D70DD}.exe C:\Windows\{074A61F9-1C82-4fa5-BFE8-429CF5B198D1}.exe
PID 2428 wrote to memory of 4884 N/A C:\Windows\{51E321B0-2B7F-422d-937E-C8DA6F1D70DD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 4884 N/A C:\Windows\{51E321B0-2B7F-422d-937E-C8DA6F1D70DD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 4884 N/A C:\Windows\{51E321B0-2B7F-422d-937E-C8DA6F1D70DD}.exe C:\Windows\SysWOW64\cmd.exe
PID 3564 wrote to memory of 3956 N/A C:\Windows\{074A61F9-1C82-4fa5-BFE8-429CF5B198D1}.exe C:\Windows\{E63A2BF4-5E9B-4b19-8BEF-6F0B76B9D7AC}.exe
PID 3564 wrote to memory of 3956 N/A C:\Windows\{074A61F9-1C82-4fa5-BFE8-429CF5B198D1}.exe C:\Windows\{E63A2BF4-5E9B-4b19-8BEF-6F0B76B9D7AC}.exe
PID 3564 wrote to memory of 3956 N/A C:\Windows\{074A61F9-1C82-4fa5-BFE8-429CF5B198D1}.exe C:\Windows\{E63A2BF4-5E9B-4b19-8BEF-6F0B76B9D7AC}.exe
PID 3564 wrote to memory of 4640 N/A C:\Windows\{074A61F9-1C82-4fa5-BFE8-429CF5B198D1}.exe C:\Windows\SysWOW64\cmd.exe
PID 3564 wrote to memory of 4640 N/A C:\Windows\{074A61F9-1C82-4fa5-BFE8-429CF5B198D1}.exe C:\Windows\SysWOW64\cmd.exe
PID 3564 wrote to memory of 4640 N/A C:\Windows\{074A61F9-1C82-4fa5-BFE8-429CF5B198D1}.exe C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 2380 N/A C:\Windows\{E63A2BF4-5E9B-4b19-8BEF-6F0B76B9D7AC}.exe C:\Windows\{F113B9E7-55B0-4560-8197-ED52F0088DE1}.exe
PID 3956 wrote to memory of 2380 N/A C:\Windows\{E63A2BF4-5E9B-4b19-8BEF-6F0B76B9D7AC}.exe C:\Windows\{F113B9E7-55B0-4560-8197-ED52F0088DE1}.exe
PID 3956 wrote to memory of 2380 N/A C:\Windows\{E63A2BF4-5E9B-4b19-8BEF-6F0B76B9D7AC}.exe C:\Windows\{F113B9E7-55B0-4560-8197-ED52F0088DE1}.exe
PID 3956 wrote to memory of 3380 N/A C:\Windows\{E63A2BF4-5E9B-4b19-8BEF-6F0B76B9D7AC}.exe C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 3380 N/A C:\Windows\{E63A2BF4-5E9B-4b19-8BEF-6F0B76B9D7AC}.exe C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 3380 N/A C:\Windows\{E63A2BF4-5E9B-4b19-8BEF-6F0B76B9D7AC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 216 N/A C:\Windows\{F113B9E7-55B0-4560-8197-ED52F0088DE1}.exe C:\Windows\{AF47E449-A2A2-45d6-BB5C-2047ACF0B2FC}.exe
PID 2380 wrote to memory of 216 N/A C:\Windows\{F113B9E7-55B0-4560-8197-ED52F0088DE1}.exe C:\Windows\{AF47E449-A2A2-45d6-BB5C-2047ACF0B2FC}.exe
PID 2380 wrote to memory of 216 N/A C:\Windows\{F113B9E7-55B0-4560-8197-ED52F0088DE1}.exe C:\Windows\{AF47E449-A2A2-45d6-BB5C-2047ACF0B2FC}.exe
PID 2380 wrote to memory of 1812 N/A C:\Windows\{F113B9E7-55B0-4560-8197-ED52F0088DE1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 1812 N/A C:\Windows\{F113B9E7-55B0-4560-8197-ED52F0088DE1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 1812 N/A C:\Windows\{F113B9E7-55B0-4560-8197-ED52F0088DE1}.exe C:\Windows\SysWOW64\cmd.exe
PID 216 wrote to memory of 3248 N/A C:\Windows\{AF47E449-A2A2-45d6-BB5C-2047ACF0B2FC}.exe C:\Windows\{DA4B0266-296F-4d2f-8C95-0BC21F9CF6A8}.exe
PID 216 wrote to memory of 3248 N/A C:\Windows\{AF47E449-A2A2-45d6-BB5C-2047ACF0B2FC}.exe C:\Windows\{DA4B0266-296F-4d2f-8C95-0BC21F9CF6A8}.exe
PID 216 wrote to memory of 3248 N/A C:\Windows\{AF47E449-A2A2-45d6-BB5C-2047ACF0B2FC}.exe C:\Windows\{DA4B0266-296F-4d2f-8C95-0BC21F9CF6A8}.exe
PID 216 wrote to memory of 4676 N/A C:\Windows\{AF47E449-A2A2-45d6-BB5C-2047ACF0B2FC}.exe C:\Windows\SysWOW64\cmd.exe
PID 216 wrote to memory of 4676 N/A C:\Windows\{AF47E449-A2A2-45d6-BB5C-2047ACF0B2FC}.exe C:\Windows\SysWOW64\cmd.exe
PID 216 wrote to memory of 4676 N/A C:\Windows\{AF47E449-A2A2-45d6-BB5C-2047ACF0B2FC}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166N.exe

"C:\Users\Admin\AppData\Local\Temp\58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166N.exe"

C:\Windows\{41D6BB83-D50F-4f78-ADCD-DE26D0ED2200}.exe

C:\Windows\{41D6BB83-D50F-4f78-ADCD-DE26D0ED2200}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\58CE96~1.EXE > nul

C:\Windows\{6666B8D5-181F-408a-BEBF-E46106FF03B0}.exe

C:\Windows\{6666B8D5-181F-408a-BEBF-E46106FF03B0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{41D6B~1.EXE > nul

C:\Windows\{5050B60F-B3EA-4987-98F9-09F9B0E88C41}.exe

C:\Windows\{5050B60F-B3EA-4987-98F9-09F9B0E88C41}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6666B~1.EXE > nul

C:\Windows\{51E321B0-2B7F-422d-937E-C8DA6F1D70DD}.exe

C:\Windows\{51E321B0-2B7F-422d-937E-C8DA6F1D70DD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5050B~1.EXE > nul

C:\Windows\{074A61F9-1C82-4fa5-BFE8-429CF5B198D1}.exe

C:\Windows\{074A61F9-1C82-4fa5-BFE8-429CF5B198D1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{51E32~1.EXE > nul

C:\Windows\{E63A2BF4-5E9B-4b19-8BEF-6F0B76B9D7AC}.exe

C:\Windows\{E63A2BF4-5E9B-4b19-8BEF-6F0B76B9D7AC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{074A6~1.EXE > nul

C:\Windows\{F113B9E7-55B0-4560-8197-ED52F0088DE1}.exe

C:\Windows\{F113B9E7-55B0-4560-8197-ED52F0088DE1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E63A2~1.EXE > nul

C:\Windows\{AF47E449-A2A2-45d6-BB5C-2047ACF0B2FC}.exe

C:\Windows\{AF47E449-A2A2-45d6-BB5C-2047ACF0B2FC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F113B~1.EXE > nul

C:\Windows\{DA4B0266-296F-4d2f-8C95-0BC21F9CF6A8}.exe

C:\Windows\{DA4B0266-296F-4d2f-8C95-0BC21F9CF6A8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AF47E~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 98.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Windows\{41D6BB83-D50F-4f78-ADCD-DE26D0ED2200}.exe

MD5 fc5e8f194a08556c177afe0fed17fbba
SHA1 ca97a86db28080ae8759ad8811132a16e86139cb
SHA256 37482b488ba21593916f0bb28878f459759c9e065f1dda76ee538ad3d13eeaeb
SHA512 265c872407b9b4ff81fb4f52a404a90530b837c8129713c1c8b7482d155ccf8076af85d75c511c3f8b5da0c87ef22432c2dae354ff47644d46caa65b8ee82a49

C:\Windows\{6666B8D5-181F-408a-BEBF-E46106FF03B0}.exe

MD5 ddb22822a644282957f4599f3084a1e4
SHA1 6995b430fc8d527e96d7b148f35b8697dc3bebb3
SHA256 f3ce49b87fb969a4448509000939c1c0eda6c6fd670bb81707498c926f934ced
SHA512 156610aa6beb10bfc06493dca53da04f42d61d1a46a9ac4c54949020a32af7f99f54d021ba8d5bf5ac6738ae501fe4ea26482c70f67fbc1aecdb515764a84e28

C:\Windows\{5050B60F-B3EA-4987-98F9-09F9B0E88C41}.exe

MD5 4dc460c9a112ae7e119f9af7186b9de0
SHA1 116acb48fae9a28275ffd5c2efd51165143a9b84
SHA256 43bc571da240e1385772ea21c818db34f595504a31945d6e85ca4767ffad2f5a
SHA512 9372676ff226fbbb05c9530aa05a0cc32d15bba0f756cb7e6f06869aa16ad97c15120e96f0c7b1f371bb73c52d4c6286d69324b2cad6a36ae8518ad1e2ba61a7

C:\Windows\{51E321B0-2B7F-422d-937E-C8DA6F1D70DD}.exe

MD5 d5d374618cff017cf12c136449cb7744
SHA1 aa4e2c23e31bae0c4ca0edc42dbcf975e31ad4f9
SHA256 f60fbac0556395d48a5b90b1dd9604870734581ae84892619e1b592dba3c8ee9
SHA512 cc2f996fff07a490919adc6ffb73798d82588456792b82c90c324fc18ae0dd5cbc193bb5b308f51380a0c61a155e45042ec557f621be46c961d2f253a1cf7b43

C:\Windows\{074A61F9-1C82-4fa5-BFE8-429CF5B198D1}.exe

MD5 ecfc77bc615cd1bd8ebaee8583528850
SHA1 04b6154c5d2d145ab67ed99bad27dd225cc1c6dc
SHA256 3b4f11c9fe5347d6527c60f12dac0b2544ab8aa5516f520995241590a56a7dab
SHA512 9d0fc299aa9d3d91b3a7c435baeec8f8ccbff0e8561ff213fc23427100c9aa456d7dac1635486cdd29142e8d03105fe90bf372bb45bbb2fb0f060e2431143871

C:\Windows\{E63A2BF4-5E9B-4b19-8BEF-6F0B76B9D7AC}.exe

MD5 b624266b99719dee26b97efb007ee9e7
SHA1 d5a9bd08d2586b10790a48589f717aaedf9cc5ca
SHA256 32ade0f82819e14bac1ddd367c49fb3925878e9f5fb22170c8573f0f1d82c397
SHA512 0d1666eb43822e8a876c55b1314fbbb0b9123b8190c353e1f07fabecce2cb7d44673282dc7d0fd32ea4b9801dc20090d9f99da60272f5a774501a7f13d6bad52

C:\Windows\{F113B9E7-55B0-4560-8197-ED52F0088DE1}.exe

MD5 377b382d4a5905f016ef3045ff7acf3b
SHA1 b94b793b7b5a5935878fc910024689beff1a8097
SHA256 8d9b1d388a6cf8ad45285f971b5958c8375867b84589eaf6a56c8928d5150f17
SHA512 9bab301ee0c892df5a73f078c3cc9f8c39943e93d58d49f9843614b06bf015c9282da132888d67f2850eece439a7c4ccf634cd98de242b4e93e60a78c9120fba

C:\Windows\{AF47E449-A2A2-45d6-BB5C-2047ACF0B2FC}.exe

MD5 9bb151aba84f5b8899920303a855d87f
SHA1 cf3953626a26b815e8e77d6e341c377601f70ddd
SHA256 ff74f7ff167c432a78adb60178a550bf094cae4d372da616355eb71ed2f3ef53
SHA512 90d028ba648d7def7fc2974de70769e81190819779cd2ea0685db306ca4922516528455bc58829bddbe63684d8939c3add384a1063c4d8297dec64c66c9ceb26

C:\Windows\{DA4B0266-296F-4d2f-8C95-0BC21F9CF6A8}.exe

MD5 73ee2f06850da62fe1fa5ea6ad84ee71
SHA1 a50e328300ebc8f0bdbde4c56ccb000e43c38982
SHA256 285c30450b30f84334d0491471f56046c943eee0c51e89bbd0dfe91de1def2ec
SHA512 a42125df61ee4008859a11a205073319f8c4e24607b335d4041f62db7deea26681c9e7dae3723a74630360c4e46b84872814476c8198263c86f24718012d183f